What is the best way to manage firewalls with Ansible?

Archives Ansible Project
1

So far I’ve found a few tools that let me manage linux firewalls.

  • iptables

  • ufw

  • shorewall

  • ferm

I’m not skilled with any of them, and ufw is the only one I’ve really used. I know enough to block everything but the ports I actually use. I’m a bit fuzzy on firewalls because we have a very good hardware firewall in place that I don’t manage. Adding firewalls to each VM is me being extra careful.

Both iptables and ufw appear to operate by running commands on the command line. So I could do that via the command or shell module. That means I’d end up running the firewall commands every time I run my Ansible playbooks. And I think I’d end up restarting the firewall every time as well.

Both of those things don’t seem like good things to do. Am I right in that? Or would it be perfectly fine to run the commands and restart the firewall every time I run Ansible?

Shorewall and ferm appear to use config files to set the rules, then they run the iptables commands for you from them. At least I think that’s how they work. That would let me use templates for the config file. I like that. But I don’t like how complicated the files are. Both projects documentation is kind of hard to figure out where to start.

I did fine the start of a ufw module (https://groups.google.com/d/topic/ansible-project/I1Vd3oPBfFw/discussion), but it doesn’t look like it’s going anywhere.

What other options are there? What do you do?

2

I’d say whatever your external rules are will cover that, the rest of the requirements should be on your internal side.

Do you manage your internal networks and adjust firewalls?

-luke

3

Yes, the firewall also manages internal DMZ’s. We are protected quite well, adding the firewall to the VM’s on our network is just on extra step to be as secure as possible.

I do have a few VM’s outside the main firewall, on those I’m currently using ufw.

So the main point of my post was just to get a general idea of how others are managing firewalls with Ansible.

4

I'm using shorewall for all my VMs. It's kinda overkill for a single
nic, but I find it works quite well with ansible.
The configuration for VMs with a single nic is very basic.

The files

   shorewall.conf (1 one setting changed from default)
   policy (3 lines)
   zones (2 lines)
   interfaces (1 line)

are somewhat trivial and identical across all VMs.

The

   rules (3 - 10 lines)

file is where the ingress and egress filtering is controlled and is
easily templated.

I also 'chain' handlers as follows to ensure modifications don't leave
iptables in a bad state:

tasks:
    ....

    notify: check shorewall

    ....

handlers:

    - name: check shorewall
      command: /sbin/shorewall check
      notify: restart shorewall

    - name: restart shorewall
      action: service name=shorewall state=restarted

I'm happy to provide some initial content to get you started.

Cheers,

K

Kahlil (Kal) Hodgson GPG: C9A02289
Head of Technology (m) +61 (0) 4 2573 0382
DealMax Pty Ltd (w) +61 (0) 3 9008 5281

Suite 1415
401 Docklands Drive
Docklands VIC 3008 Australia

"All parts should go together without forcing. You must remember that
the parts you are reassembling were disassembled by you. Therefore,
if you can't get them together again, there must be a reason. By all
means, do not use a hammer." -- IBM maintenance manual, 1925

5

I also think shorewall is a good way to deploy firewall configuration
using ansible.

I tried to use iptables-persitent, but shorewall allows to split the
rules in many files. Using run-parts in /etc/shorewall/rules, you can
put any file in rules.d/.

So in my "common" playbook, I only deploy common rules (close
everything by default, allow ping and ssh). Then, each roles can add
some rules. The "webserver" role, for instance, adds a rule file to
open HTTP and HTTP ports.

You just have to pay attention to the order in which the files will be
executed.

Le 13/10/08 14:43, Kahlil Hodgson claviotta :

6

Generally speaking, I like to do the following with iptables

{% if ‘webservers’ in group_names %}
section of iptables config for webservers
{% endif %}

And just template the config file, and set up a notify to reload iptables when it changes.

I should also point out there is a firewalld module in the devel branch now too.

7

So, to resurrect an old topic… And remind myself why I like having a hardware firewall covering my behind…

I’ve about figured out how to use the UFW module correctly. Which makes me happy.

Unfortunately, I have to administer SLES and CentOS vm’s as well. I was going to use the firewalld module, but then I couldn’t find a firewalld package in the repos to install…

That leaves me kind of hanging…

CentOS has /etc/sysconfig/iptables if I knew iptables.

Not sure if SLES has a decent command line interface I could use… It does use a GUI tool, and force me to install a GUI on the server, so I might just run them manually…

Anyway, apologies for the rambling, it’s the end of the day for me. Here are my questions:

Has anyone looked at creating an iptables module that would just work on all OS’s that have Python and iptables? Maybe make the most common stuff easy, and then have a way for people to input a full iptables command? So, for people running simple stuff, like me, could make a task like

iptables: ports=“22,2222” proto=“tcp,udp” allowed_from=“10.0.0.0/8” allowed_to=“everywhere”

More complicated stuff could be:

iptables: command=“stuff that is currently gibberish to me”

Micheal, you mentioned a config file, which one were you talking about?

Is there a way to install firewalld that my google-fu missed? Or even ufw?

Is there a really good introduction to iptables that you would recommend? Since the obvious route to solve my problem is to suck it up and learn iptables…

Thanks!

8

"CentOS has /etc/sysconfig/iptables if I knew iptables. "

Learning iptables config is not hard actually, nor is templating it.

It can be used for very complex things (http://www.ex-parrot.com/pete/upside-down-ternet.html) but simple accept/deny rules are straightforward

You just write the iptables config file and then have to do /sbin/service iptables restart to make it “apply”

Google “manage iptables” and you should be able to find some good examples.

I can’t say I have any specific tutorials or references that I like, but others may have some good ones.

So anyway, hopefully at least good for some encouragement!

9

if you need a GUI, firewall builder http://www.fwbuilder.org/ is a
desktop app that can generate iptables rules (among others), you can
use it to get the commands for your templates.

Though iptables is not hard the syntax can get clunky, the new linux
fireall system, nftables, is much nicer and with clearer sytnax, it
seems to borrow some good things from BSD's pf (packet filter). It
might not be available to you yet.

10

@Michael I assume you are templating the /etc/sysconfig/iptables in CentOS, and /etc/iptables/rules.v4 in Ubuntu files? I just figured out that you can install the iptables-persistent package in Ubuntu, I hadn’t been sure what files you were referring to before that…

So, a reload on CentOS would be service iptables restart. What about Ubuntu? cat /etc/iptables/rules.v4 | iptables-restore ?

@Brian, I took a look at fwbuilder. Looks almost as complicated as iptables itself. At least for my limited needs. Maybe if I was doing something more complicated… Thanks for the tip.

11

Hi David & list,

@Michael I assume you are templating the /etc/sysconfig/iptables in
CentOS, and /etc/iptables/rules.v4 in Ubuntu files? I just figured out
that you can install the iptables-persistent package in Ubuntu, I hadn't
been sure what files you were referring to before that...

You can also simply do in /etc/network/interfaces :

...
iface eth0 inet static
    pre-up iptables-restore < /etc/network/iptables
    ...

without resorting to iptables-persistent.

So, a reload on CentOS would be ```service iptables restart```. What
about Ubuntu? ```cat /etc/iptables/rules.v4 | iptables-restore``` ?

For this, I have a flush script that I push with ansible, which
basically does :

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

@Brian, I took a look at fwbuilder. Looks almost as complicated as
iptables itself. At least for my limited needs. Maybe if I was doing
something more complicated... Thanks for the tip.

I'll probably try "ferm" RSN. Since it supports '.d' style configuration
layout (@include 'ferm.d/'), it should be really easy to integrate the
necessary rules in each ansible role, without resorting to the assemble
module (or worse, trying to write an omnipotent iptable rules file, been
there...).

http://ferm.foo-projects.org/

M